Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[ceolus]

GNU nano 4.9.2 /jffs/scripts/dnsmasq.postconf
#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1" # unbound_manager

#!/bin/sh

CONFIG=$1
source /usr/sbin/helper.sh

######################################################################
##### DO NOT EDIT THIS FILE MANUALLY #######
##### You are probably looking for #######
##### your customising script #######
##### '/opt/share/unbound/configs/unbound.postconf' #######
######################################################################
logger -t "(dnsmasq.postconf)" "Updating $CONFIG for unbound....." # unbound_manager

ROUTER="$(nvram get lan_ipaddr_rt)"

if [ -n "$(pidof unbound)" ];then
if [ -n "$(grep -E "^port: 53535" /opt/var/lib/unbound/unbound.conf)" ];then # Forward dnsmasq DNS requests to unbound
pc_delete "servers-file" $CONFIG
# By design, if GUI DNSSEC ENABLED then attempt to modify 'cache-size=0' results in dnsmasq start-up fail loop
# dnsmasq[15203]: cannot reduce cache size from default when DNSSEC enabled
# dnsmasq[15203]: FAILED to start up
if [ -n "$(grep "^dnssec" $CONFIG)" ];then
pc_delete "dnssec" $CONFIG
logger -t "(dnsmasq.postconf)" "**Warning: Removing 'dnssec' directive from 'dnsmasq' to allow DISABLE cache (set 'cache-size=0')"
fi

pc_replace "cache-size=1500" "cache-size=0" $CONFIG
UNBOUNDLISTENADDR="127.0.0.1#53535"
#UNBOUNDLISTENADDR="$(netstat -nlup | awk '/unbound/ { print $4 } ' | tr ':' '#')" # unbound_manager
pc_append "server=$UNBOUNDLISTENADDR" $CONFIG
if [ "$(uname -o)" == "ASUSWRT-Merlin-LTS" ];then # Requested by @dave14305
pc_delete "resolv-file" $CONFIG
pc_append "no-resolv" $CONFIG
fi
else
logger -t "(dnsmasq.postconf)" "dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients."

[ -z "$(grep -F "port=0" $CONFIG)" ] && pc_append "port=0" $CONFIG # Disable dnsmasq DNS resolver function
[ -z "$(grep -F "dhcp-option=lan,6,$ROUTER" $CONFIG)" ] && pc_append "dhcp-option=lan,6,$ROUTER" $CONFIG
pc_delete "servers-file" $CONFIG
pc_delete "no-negcache" $CONFIG
pc_delete "domain-needed" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
fi
else
sed -i '/port=0/d' $CONFIG

 

[Deleted member 62525]

Sadly I would have to disagree...with your 'otherwise' statement.

There is a URL that tabulates (with caveats) the feature list between dnsmasq and unbound, and unsurprisingly they are for all intents and purposes identical....except

i.e. there is only one feature in the comparison table where unbound seemingly has a unique-selling-point:

Split horizon:
Servers with the split-horizon DNS feature can give different answers depending on the source IP address of the query.​

Now does this feature matter on a router, or more importantly, is this something that would be useful if applied to your home LAN devices?

Disabling dnsmasq would therefore open up the opportunity to exploit this currently unique unbound feature; ultimately experiencing the tangible benefit - wouldn't you agree?

P.S. You can review the DNS Server comparison here

Only time will tell if people would actually take advantage of this one benefit. Since Asus firmware with additional frameworks and addons use dnsmasq and associated configuration files it means there is always a chance something will get broken.

 

[Martineau]

unbound: symbol lookup error: unbound: undefined symbol: log_ident_set_default

What do I need to do to fix this issue?

Follow the instructions How to fix unbound Entware related issues

 

[Martineau]

is this already available with the current version of unbound_manager?

as in, can i disable queries for youtube for just one client (with dnsmasq disabled)?
thanks

Yes...well technically unbound supports it, there is menu option to manage Split Horizon

i.e. you would need to manually define the client device in 'unbound.conf.add' block YouTube but again the answer is Yes

 

[ugandy]

Yes...well technically unbound supports it, there is menu option to manage Split Horizon

i.e. you would need to manually define the client device in 'unbound.conf.add' block YouTube but again the answer is Yes

is a menu option planned? or is it overkill?

 

[Martineau]

is a menu option planned? or is it overkill?

You mean something like

urltag    [ 'create' {tag url} ] | [ { [ 'add' | ''del' ] tag IP }]

to create the rules? …….

e.g. insert into '/opt/share/unbound/configs/unbound.conf.add' if you want to test it

# Client 10.88.8.111 is blocked from accessing YouTube, but all other LAN clients' DNS requests for YouTube are allowed as normal.

# Create the 'Category/Classification' tag
define-tag: "NoYouTube"

# Associate the zone with the defined 'Category/Classification' tag
local-zone:     www.youtube.com typetransparent
local-zone-tag: www.youtube.com NoYouTube

# Add the client(s) to be associated with the 'Category/Classification' ('NoYouTube') tag
access-control:            10.88.8.111/32 allow
access-control-tag:        10.88.8.111/32 "NoYouTube"
access-control-tag-action: 10.88.8.111/32 "NoYouTube" refuse


# Alternatively redirect the blocked YouTube client to a custom polite internal block page
#access-control-tag-action: 10.88.8.111/32 "NoYouTube" redirect
#access-control-tag-data:   10.88.8.111/32 "NoYouTube" "A 10.88.8.xxx"

NOTE: In the documentation, it is advised to limit the number of discrete tags, but instead to adopt/use unbound 'views' (although apparently far simpler to configure but I haven't personally used.)

 

[Martineau]

Only time will tell if people would actually take advantage of this one benefit. Since Asus firmware with additional frameworks and addons use dnsmasq and associated configuration files it means there is always a chance something will get broken.

Whatever

 

[QuikSilver]

So you are running with Unbound as your primary DNS server (dnsmasq disabled) and yet Diversion still works for you? (cf what Tomsk wrote: “The downside is that anything that relies on dnsmasq likeDiversion wont work anymore.”)

Yea I read that too, but as I've said Diversion seems to be working for me (blocking ads on the router lvl with no browser addon, along with youtube blocking feature) while showing my IP as my own DNS server.

 

[ceolus]

Follow the instructions How to fix unbound Entware related issues

Generating unbound-anchor 'root.key'.....
/opt/sbin/unbound-anchor: error while loading shared libraries: libunbound.so.8: cannot open shared object file: No such file or directory

 

[Martineau]

Generating unbound-anchor 'root.key'.....
/opt/sbin/unbound-anchor: error while loading shared libraries: libunbound.so.8: cannot open shared object file: No such file or directory

Did you run

opkg remove --force-depends libunbound

 

[ceolus]

Did you run

opkg remove --force-depends libunbound

Yes sir!
ceolus@RT-AC86U-D6D8:/tmp/home/root# opkg remove --force-depends libunbound
No packages removed.

 

[Martineau]

Yes sir!
ceolus@RT-AC86U-D6D8:/tmp/home/root# opkg remove --force-depends libunbound
No packages removed.

Can you try uninstalling the existing config

e  = Exit Script [?]

E:Option ==> 2

then retry the install.

 

[ceolus]

Can you try uninstalling the existing config

e  = Exit Script [?]

E:Option ==> 2

then retry the install.

I was able to successfully install Unbound!
Thank you sir!

 

[Torson]

Is there a way to temporarily disable adblock (without uninstalling, that is?)

 

[Martineau]

Is there a way to temporarily disable adblock (without uninstalling, that is?)

Use 'vx' command to manually comment-out the line:

include: /opt/var/lib/unbound/adblock/adservers

 

[Torson]

Use 'vx' command to manually comment-out the line:

include: /opt/var/lib/unbound/adblock/adservers

That works, thank you!
Any chance to have the enable/disable switch on the adblock line along with uninstall | update | track?

 

[tomsk]

You mean something like

urltag    [ 'create' {tag url} ] | [ { [ 'add' | ''del' ] tag IP }]

to create the rules? …….

e.g. insert into '/opt/share/unbound/configs/unbound.conf.add' if you want to test it

# Client 10.88.8.111 is blocked from accessing YouTube, but all other LAN clients' DNS requests for YouTube are allowed as normal.

# Create the 'Category/Classification' tag
define-tag: "NoYouTube"

# Associate the zone with the defined 'Category/Classification' tag
local-zone:     www.youtube.com typetransparent
local-zone-tag: www.youtube.com NoYouTube

# Add the client(s) to be associated with the 'Category/Classification' ('NoYouTube') tag
access-control:            10.88.8.111/32 allow
access-control-tag:        10.88.8.111/32 "NoYouTube"
access-control-tag-action: 10.88.8.111/32 "NoYouTube" refuse


# Alternatively redirect the blocked YouTube client to a custom polite internal block page
#access-control-tag-action: 10.88.8.111/32 "NoYouTube" redirect
#access-control-tag-data:   10.88.8.111/32 "NoYouTube" "A 10.88.8.xxx"

NOTE: In the documentation, it is advised to limit the number of discrete tags, but instead to adopt/use unbound 'views' (although apparently far simpler to configure but I haven't personally used.)

Views would work something like this for same scenario?

# Client 10.88.8.111 is blocked from accessing YouTube, but all other LAN clients' DNS requests for YouTube are allowed as normal.

# Create the view clause to reject requests to www.youtube.com with rcode REFUSED

view:
    name: "NoYouTube"
    local-zone: "www.youtube.com" refuse
    
# Associate the client(s) with the view clause (NoYouTube)

access-control-view: 10.88.8.111/32 "NoYouTube"

# Alternatively redirect the blocked YouTube client to a custom polite internal block page

view:
    name: "NoYouTube"
    local-zone: "www.youtube.com" redirect
    local-data: "www.youtube.com IN A 10.88.8.xxx"

 

[Deleted member 62525]

Whatever

Looking forward to some examples of Split DNS with unbound.

 

[juched]

That works, thank you!
Any chance to have the enable/disable switch on the adblock line along with uninstall | update | track?

The install and uninstall is very light. I don’t see the harm in uninstalling and reinstalling. Have you had any issues?

 

[ugandy]

Looking forward to some examples of Split DNS with unbound.

https://www.snbforums.com/threads/r...cursive-dns-server.61669/page-123#post-588242